Last year, Harvard Business School Press published a very interesting book entitled IT Risk: Turning Business Threats into Competitive Advantage by George Westerman and Richard Hunter. Westerman is a Research Scientist at the Center for Information Systems Research at the MIT Sloan School of Management; Hunter is Group Vice President and Gartner Fellow at Gartner Executive Programs. The book is not solely about information security, though the book should be of interest to information security professionals, especially those in management positions. If you haven’t yet read this book, I highly recommend it.
Westerman and Hunter introduce what they call “the 4A Risk Management Framework” for managing IT risk. The 4As are:
Based on how they define their terms, one could reasonably argue that “access” is roughly equivalent to confidentiality and “accuracy” is similar to integrity in the traditional CIA triad. As for “agility,” Westerman and Hunter define it as “the capability to change with managed cost and speed.” For example, implementing a nonstandard software package that doesn’t fit internal technology architecture standards could be an agility risk, for a variety of reasons. One reason would be if the package impacts the organization’s ability to modify the system easily if/when the business model changes. So defined, “agility” could certainly be indirectly related to “availability” (in at least extreme cases), but it is clear that “agility” is a concept that goes beyond CIA.
Additionally, “agility” as a concept that I think is very useful for information security professionals. Here’s why. I often hear relatively new information security professionals (as well as some very experienced “purists”) talk about information security requirements on the one hand and business requirements on the other hand, as if information security requirements and business requirements are at odds. At least in the private sector, that’s just an incorrect way of viewing the situation. In the private sector, there are just business requirements. Those requirements may include security, but at the end of the day security is only relevant to the extent it contributes to the business. In my experience, what people often (but not always) mean when they contrast “security requirements” with “the business” is the tradeoff between security and agility. Effective CISOs help organizations find the proper balance between security and agility.
I hope it is clear from the above comments that I am not in any way trying to argue that the CIA triad is defective because it doesn’t focus on agility. It is possible to implement information security without any regard for the impact on agility. Indeed, this is precisely what some security professionals try (at their own risk) to do. Rather, my point is that it would be valuable for security professionals to think about how the CIA triad fits into the larger business context. Thinking about agility as an independent consideration for evaluating business proposals for security is one way to do that.
Because I find the tradeoff between “security” and “agility” to be so pervasive, I’ve decided to title this column, “Agile Security.” Future postings will talk through specific scenarios where this tradeoff comes into play.